You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Cryptowall 3.0 - Interesting Fact

Thought I would post the below to anyone interested in what appears to be one way of getting data back.

I had a customer last month whose user id got corrupted. Thus, I created a new user id, copied all her documents from corrupted user id to newly created id. I left all her documents in the old id.

Yesterday she became infected with the Cryptowall 3.0 Ransomeware, plus a whole bunch of other viruses were in her computer. All her documents under the current user id were encrypted. All shadow copies were deleted. She had no backups.

NOW FOR THE INTERESTING FACT: Her documents in the old, corrupted user id were intact. Thus, after removing the Cryptowall 3.0 virus, plus all the other viruses; I copied her files from old id to new id. Thus she got back all her documents, although 3 weeks old.

I was completely surprised that Cryptowall did not encrypt documents in the non-active user id's - just thought I would pass this on to whomever may find it interesting. Hopefully this is not a fluke.